CVE-2026-42591: Gotenberg has a Server-Side Request Forgery (SSRF) Issue

May 7, 2026 (updated May 14, 2026)

The SSRF hardening shipped in v8.31.0 only covers outbound URLs that Gotenberg’s Go code handles — Chromium asset fetches, webhook delivery, and download-from. The LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on its own, completely bypassing the SSRF filters.

This was verified on v8.31.0 (latest at time of writing) with a crafted DOCX and got 3 outbound HTTP requests from LibreOffice to the canary server used for testing.

References

github.com/advisories/GHSA-rm4c-xj6x-49mw
github.com/gotenberg/gotenberg/security/advisories/GHSA-rm4c-xj6x-49mw
nvd.nist.gov/vuln/detail/CVE-2026-42591

Code Behaviors & Features

Detect and mitigate CVE-2026-42591 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →